Cybercrime doesn’t discriminate based on size or mission. Nonprofits, especially smaller organizations, are increasingly targeted because attackers know resources are limited, IT systems are often outsourced, and staff are stretched thin. Recent headlines prove it:
– In 2020, the Philadelphia Food Bank Philabundance lost nearly $1M in a fake invoice scam. How did it happen? The charity paid fallacious charges to a bad actor posing as a construction company.
– In 2024, one of the nation’s best pediatric hospitals, Lurie Children’s Hospital in Chicago, was forced to take IT systems offline after a ransomware attack, disrupting normal operations and delaying critical medical care for sick children for weeks. Rhysida, the ransomware gang behind the attack claimed to have sold the data stolen impacting nearly 800,000 people, listing it on the dark web for $3.4M.
– The International Committee of the Red Cross saw a sophisticated cyberattack compromise the personal data of more than 515,000 people – migrants fleeing natural disaster and war, political refugees and other vulnerable individuals.
“What happens in the digital realm is transcending into kinetic risks,” says Frank McGothigan, Chief Information Security Officer at the Ford Foundation. “How we interact with technology is also becoming a problem with doxxing, online harassment, physical security, and, of course, criminal elements.” For nonprofits, a cyberattack isn’t just about lost data—it’s about lost trust. A single breach can jeopardize donor relationships, disrupt mission-critical services, and trigger regulatory penalties under laws like HIPAA or GDPR if personal data is involved. The threat of cyber attacks is very real – and the responsibility for safeguarding valuable data and systems belongs to us all.
You might think your organization is small and doing good work, why would anyone target a nonprofit? The truth is you likely have valuable donor data. A small staff and a small budget also make you a target. Attackers know that limited IT budgets create gaps and small organizations are more likely to rely on third-party platforms and outsourced IT services. This leaves many organizations vulnerable, lacking a cybersecurity program with no way to identify, protect, detect, respond, and recover from attacks.
The risks are widespread and could be devastating to your organization:
– 60% of nonprofits experienced a cyberattack in the past two years
– Ransomware attacks doubled year over year
– Average breach costs ≈ $200,000
– 70% of nonprofits lack a formal cybersecurity policy
Best Practices are the Best Practice
As the Executive Director of Technology Association of Grantmakers (TAG), I help philanthropy executives and staff navigate technology challenges every day. With the TAG network of over 400 organizational members, members provide their peers advice and guidance for implementing tech strategically. I’d like to share a roadmap for that most feared topic in tech: Cybersecurity.
Put simply, cybersecurity is protecting computer systems, networks, and data from unauthorized access and attacks. Navigating digital risks can be intimidating – however, it’s important to remember that no matter what, best practices are the best practice. You can’t build a resilient organization without them. I am pleased to share my recommendations for the 10 Best Practices in Cybersecurity.
5 Best Practices for Defense
The reality is that many social sector organizations have a small staff and a small IT budget. However, while limited resources present a challenge: you can still protect your organization. The easiest, and most inexpensive strategy is to develop strong defenses.
Start with the five basics of cybersecurity to keep your organization safe:
Strong Passwords
The easiest solution is also the cheapest! You can mitigate risks by requiring strong, complex passwords. The experts at Hive Systems recommend passwords that are at least 16 characters in length and use a combination of letters, numbers and symbols. All your passwords should be unique (don’t use the same password in multiple places!).
Bonus: If you are using a password manager, you can have strong security without having to remember long, complicated passwords.
Multifactor Authentication
One of the most effective security measures is multifactor authentication (MFA), which requires users to use two or more methods to authenticate or ensure their identity when accessing IT systems or platforms. This extra level of security means that even if a password is compromised, attackers would still need additional verification factors to gain entry.
Bonus: MFA can block over 99% of attacks that rely on compromised credentials, according to Microsoft Research.
Regular IT Audits
Understanding your IT asset ecosystem, and who has access to those assets, is a critical step in protecting your organization from risks. Consider hardware assets (e.g. computers, hard drives, printers, scanners, monitors, and mobile devices), software assets (e.g. operating systems, applications like your CRM, security software, cloud-based apps, digital assets, websites and domains, multi-media content), and your business data. Understanding what your ecosystem entails, and who has access to it, is a critical step in your cyber security defenses. If you don’t already have one, consider instituting a Device Management and Data Governance policies.
Bonus: conducting regular audits can bring critical cost-savings, too, by identifying under-utilized licenses and tools.
Security Patches and Updates
Make sure you stay current with security patches and updates to protect your devices. Be sure to keep your antivirus software updated. Implementing a patch management policy and automating patching is the easiest way to sure that you are keeping up with all those security and software updates.
Bonus: These regular updates will also improve system performance and ensure you have access to the latest features.
Finally, your staff are the foundation of your defense – good education and awareness goes a long way. Cybersecurity is a team sport – everyone is responsible. Helping your staff spot threats and respond effectively is perhaps the most critical defence of all. “Cybersecurity isn’t just about technology—it’s about protecting the mission, the people, and the trust that nonprofits work so hard to build.” Greg Bugbee, CISSP, CISO, Novus Insight, says. “The basics matter, but so does leadership: when boards and executives ask the right questions and set clear expectations, they turn risk into resilience.”
5 Best Practices for Proactive Protections
Once you have a strong defense, your organization is ready to move on to proactive elements of a mature cybersecurity program.
Here are the next five strategies you should consider:
Incident Response Planning
Develop an incident response plan (IRP) so you will be ready to respond should anything happen. Your IRP is a comprehensive, documented strategy detailing how you will prepare for, detect, respond to, and recover from cybersecurity attacks or other disruptions to minimize damage and ensure business continuity. It is important to remember that a plan is not a substitute for a practice – strong organizations conduct regular table top exercises and simulations so that everyone knows what to do when something goes wrong.
Bonus: Planning and practicing for a cyber attack can prepare the organization for other non-technical threats or risks to business continuity.
Compliance and Risk Management
You should conduct annual risk assessments of your procedures and assets. By prioritizing risks, your organization can develop strategies to adapt to changing circumstances so that you can achieve your strategic objectives.
Bonus: Risk assessments help an organization uncover potential vulnerabilities and threats before they become major problems, stay on top of important compliance needs, and identify areas for continued improvement.
Cyber Insurance
Purchasing cyber insurance will provide some peace of mind to protect your data and financial liabilities. The costs vary, but purchasing cyber insurance can be relatively inexpensive ($1,500-2,000/annually); and if bundled with other policies, such as general liability, organizations may reap discounts.
Bonus: Purchasing cyber security will enhance your security posture because you will need to have some basic protections in place in order to apply for insurance.
Pen Testing
Penetration testing (or “pen testing” as it is known), is a simulated cyberattack to find and exploit vulnerabilities in your systems, networks, and applications. Organizations can contract with security professionals who will use hacking tools and techniques to find weaknesses in your systems and make recommendations for remediating those vulnerabilities. A general recommendation is to conduct pen testing at least annually; if your organization has sensitive data or infrastructure changes, you may need to test more frequently.
Vendor Management
Many organizations work with a number of outside vendors. Vendor selection is an important part of an organization’s cybersecurity protection. Vendors sometimes have access to sensitive parts of your business. It’s a best practice to limit data access when possible or only allow access for the limited necessary time. In your contracts, be sure to include security clauses and make critical security provisions non-negotiable.
To help organizations mature their defenses, a strong security partner or Security Operations Center (SOC), that specializes in protecting against cyber threats can be an important resource to help proactively detect, analyze, and respond to security incidents and ensure the integrity and confidentiality of an organization’s data and systems.
Cybersecurity
Cybersecurity is essential but it doesn’t have to be overwhelming. Every organization needs protection, good practices and the policies and governance to fortify your organizational assets. Frank McGothigan at the Ford Foundation puts it another way: “Privacy is not something that a product can solve for, it’s a lifestyle that is built on personal choices we make.”
– Start with the five basics of defense. Provide your staff with training to spot and respond to threats.
– Move from defensive tactics to proactive strategies. Identify your biggest risks, set priorities with a focus on high-impact and low-cost actions, and have a tested plan for what to do when things go wrong.
– Find reputable security partners to help you stay vigilant and prepared to respond effectively to your threats and risks.
Best practices are key. However, boards, executives, and staff must share responsibility for cyber resilience. Even if you rely on a third-party IT provider, ultimate accountability for safeguarding donor trust and mission-critical systems belongs to you.
— Jean Westrick
Executive Director, Technology Association of Grantmakers